[gentoo-commits] proj/linux-patches:4.4 commit in: /

["Mike Pagano" <mpagano@gentoo.org>]

commit:     e5d1e5b00493ff84e00a64d865ea68bca791188e
Author:     Mike Pagano <mpagano <AT> gentoo <DOT> org>
AuthorDate: Thu Oct  5 11:39:34 2017 +0000
Commit:     Mike Pagano <mpagano <AT> gentoo <DOT> org>
CommitDate: Thu Oct  5 11:39:34 2017 +0000
URL:        https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=e5d1e5b0

Linux patch 4.4.90

 0000_README             |    4 +
 1089_linux-4.4.90.patch | 1208 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 1212 insertions(+)

diff --git a/0000_README b/0000_README
index 43c1c6e..fb5ca42 100644
--- a/0000_README
+++ b/0000_README
@@ -399,6 +399,10 @@ Patch:  1088_linux-4.4.89.patch
 From:   http://www.kernel.org
 Desc:   Linux 4.4.89
 
+Patch:  1089_linux-4.4.90.patch
+From:   http://www.kernel.org
+Desc:   Linux 4.4.90
+
 Patch:  1500_XATTR_USER_PREFIX.patch
 From:   https://bugs.gentoo.org/show_bug.cgi?id=470644
 Desc:   Support for namespace user.pax.* on tmpfs.

diff --git a/1089_linux-4.4.90.patch b/1089_linux-4.4.90.patch
new file mode 100644
index 0000000..658420d
--- /dev/null
+++ b/1089_linux-4.4.90.patch
@@ -0,0 +1,1208 @@
+diff --git a/Makefile b/Makefile
+index 7e4c46b375b3..ca5aaaf4aef7 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 4
+-SUBLEVEL = 89
++SUBLEVEL = 90
+ EXTRAVERSION =
+ NAME = Blurry Fish Butt
+ 
+diff --git a/arch/arm/boot/dts/pxa27x.dtsi b/arch/arm/boot/dts/pxa27x.dtsi
+index 7f68a1ee7073..210192c38df3 100644
+--- a/arch/arm/boot/dts/pxa27x.dtsi
++++ b/arch/arm/boot/dts/pxa27x.dtsi
+@@ -13,6 +13,7 @@
+ 			interrupts = <25>;
+ 			#dma-channels = <32>;
+ 			#dma-cells = <2>;
++			#dma-requests = <75>;
+ 			status = "okay";
+ 		};
+ 
+diff --git a/arch/arm/boot/dts/pxa3xx.dtsi b/arch/arm/boot/dts/pxa3xx.dtsi
+index 564341af7e97..fec47bcd8292 100644
+--- a/arch/arm/boot/dts/pxa3xx.dtsi
++++ b/arch/arm/boot/dts/pxa3xx.dtsi
+@@ -12,6 +12,7 @@
+ 			interrupts = <25>;
+ 			#dma-channels = <32>;
+ 			#dma-cells = <2>;
++			#dma-requests = <100>;
+ 			status = "okay";
+ 		};
+ 
+diff --git a/arch/arm/mach-pxa/devices.c b/arch/arm/mach-pxa/devices.c
+index 2a6e0ae2b920..614e9d8f0a54 100644
+--- a/arch/arm/mach-pxa/devices.c
++++ b/arch/arm/mach-pxa/devices.c
+@@ -1203,6 +1203,7 @@ void __init pxa2xx_set_spi_info(unsigned id, struct pxa2xx_spi_master *info)
+ 
+ static struct mmp_dma_platdata pxa_dma_pdata = {
+ 	.dma_channels	= 0,
++	.nb_requestors	= 0,
+ };
+ 
+ static struct resource pxa_dma_resource[] = {
+@@ -1231,8 +1232,9 @@ static struct platform_device pxa2xx_pxa_dma = {
+ 	.resource	= pxa_dma_resource,
+ };
+ 
+-void __init pxa2xx_set_dmac_info(int nb_channels)
++void __init pxa2xx_set_dmac_info(int nb_channels, int nb_requestors)
+ {
+ 	pxa_dma_pdata.dma_channels = nb_channels;
++	pxa_dma_pdata.nb_requestors = nb_requestors;
+ 	pxa_register_device(&pxa2xx_pxa_dma, &pxa_dma_pdata);
+ }
+diff --git a/arch/arm/mach-pxa/pxa25x.c b/arch/arm/mach-pxa/pxa25x.c
+index 1dc85ffc3e20..049b9cc22720 100644
+--- a/arch/arm/mach-pxa/pxa25x.c
++++ b/arch/arm/mach-pxa/pxa25x.c
+@@ -206,7 +206,7 @@ static int __init pxa25x_init(void)
+ 		register_syscore_ops(&pxa_irq_syscore_ops);
+ 		register_syscore_ops(&pxa2xx_mfp_syscore_ops);
+ 
+-		pxa2xx_set_dmac_info(16);
++		pxa2xx_set_dmac_info(16, 40);
+ 		pxa_register_device(&pxa25x_device_gpio, &pxa25x_gpio_info);
+ 		ret = platform_add_devices(pxa25x_devices,
+ 					   ARRAY_SIZE(pxa25x_devices));
+diff --git a/arch/arm/mach-pxa/pxa27x.c b/arch/arm/mach-pxa/pxa27x.c
+index ffc424028557..2fb6430b7a34 100644
+--- a/arch/arm/mach-pxa/pxa27x.c
++++ b/arch/arm/mach-pxa/pxa27x.c
+@@ -309,7 +309,7 @@ static int __init pxa27x_init(void)
+ 		if (!of_have_populated_dt()) {
+ 			pxa_register_device(&pxa27x_device_gpio,
+ 					    &pxa27x_gpio_info);
+-			pxa2xx_set_dmac_info(32);
++			pxa2xx_set_dmac_info(32, 75);
+ 			ret = platform_add_devices(devices,
+ 						   ARRAY_SIZE(devices));
+ 		}
+diff --git a/arch/arm/mach-pxa/pxa3xx.c b/arch/arm/mach-pxa/pxa3xx.c
+index 20ce2d386f17..ca06f082497c 100644
+--- a/arch/arm/mach-pxa/pxa3xx.c
++++ b/arch/arm/mach-pxa/pxa3xx.c
+@@ -450,7 +450,7 @@ static int __init pxa3xx_init(void)
+ 		if (of_have_populated_dt())
+ 			return 0;
+ 
+-		pxa2xx_set_dmac_info(32);
++		pxa2xx_set_dmac_info(32, 100);
+ 		ret = platform_add_devices(devices, ARRAY_SIZE(devices));
+ 		if (ret)
+ 			return ret;
+diff --git a/arch/arm/plat-pxa/include/plat/dma.h b/arch/arm/plat-pxa/include/plat/dma.h
+index 28848b344e2d..ceba3e4184fc 100644
+--- a/arch/arm/plat-pxa/include/plat/dma.h
++++ b/arch/arm/plat-pxa/include/plat/dma.h
+@@ -95,6 +95,6 @@ static inline int pxad_toggle_reserved_channel(int legacy_channel)
+ }
+ #endif
+ 
+-extern void __init pxa2xx_set_dmac_info(int nb_channels);
++extern void __init pxa2xx_set_dmac_info(int nb_channels, int nb_requestors);
+ 
+ #endif /* __PLAT_DMA_H */
+diff --git a/arch/arm/xen/mm.c b/arch/arm/xen/mm.c
+index c5f9a9e3d1f3..28d83f536e93 100644
+--- a/arch/arm/xen/mm.c
++++ b/arch/arm/xen/mm.c
+@@ -199,6 +199,7 @@ static struct dma_map_ops xen_swiotlb_dma_ops = {
+ 	.unmap_page = xen_swiotlb_unmap_page,
+ 	.dma_supported = xen_swiotlb_dma_supported,
+ 	.set_dma_mask = xen_swiotlb_set_dma_mask,
++	.mmap = xen_swiotlb_dma_mmap,
+ };
+ 
+ int __init xen_mm_init(void)
+diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S
+index 20ceb5edf7b8..d019c3a58cc2 100644
+--- a/arch/arm64/kernel/head.S
++++ b/arch/arm64/kernel/head.S
+@@ -446,6 +446,7 @@ ENDPROC(__mmap_switched)
+  * booted in EL1 or EL2 respectively.
+  */
+ ENTRY(el2_setup)
++	msr	SPsel, #1			// We want to use SP_EL{1,2}
+ 	mrs	x0, CurrentEL
+ 	cmp	x0, #CurrentEL_EL2
+ 	b.ne	1f
+diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
+index 7fabf49f2aeb..86485415c5f0 100644
+--- a/arch/arm64/mm/fault.c
++++ b/arch/arm64/mm/fault.c
+@@ -447,7 +447,7 @@ static struct fault_info {
+ 	{ do_translation_fault,	SIGSEGV, SEGV_MAPERR,	"level 0 translation fault"	},
+ 	{ do_translation_fault,	SIGSEGV, SEGV_MAPERR,	"level 1 translation fault"	},
+ 	{ do_translation_fault,	SIGSEGV, SEGV_MAPERR,	"level 2 translation fault"	},
+-	{ do_page_fault,	SIGSEGV, SEGV_MAPERR,	"level 3 translation fault"	},
++	{ do_translation_fault,	SIGSEGV, SEGV_MAPERR,	"level 3 translation fault"	},
+ 	{ do_bad,		SIGBUS,  0,		"unknown 8"			},
+ 	{ do_page_fault,	SIGSEGV, SEGV_ACCERR,	"level 1 access flag fault"	},
+ 	{ do_page_fault,	SIGSEGV, SEGV_ACCERR,	"level 2 access flag fault"	},
+diff --git a/arch/powerpc/kvm/book3s_64_vio.c b/arch/powerpc/kvm/book3s_64_vio.c
+index 54cf9bc94dad..3a095670b0c4 100644
+--- a/arch/powerpc/kvm/book3s_64_vio.c
++++ b/arch/powerpc/kvm/book3s_64_vio.c
+@@ -101,22 +101,17 @@ long kvm_vm_ioctl_create_spapr_tce(struct kvm *kvm,
+ 				   struct kvm_create_spapr_tce *args)
+ {
+ 	struct kvmppc_spapr_tce_table *stt = NULL;
++	struct kvmppc_spapr_tce_table *siter;
+ 	long npages;
+ 	int ret = -ENOMEM;
+ 	int i;
+ 
+-	/* Check this LIOBN hasn't been previously allocated */
+-	list_for_each_entry(stt, &kvm->arch.spapr_tce_tables, list) {
+-		if (stt->liobn == args->liobn)
+-			return -EBUSY;
+-	}
+-
+ 	npages = kvmppc_stt_npages(args->window_size);
+ 
+ 	stt = kzalloc(sizeof(*stt) + npages * sizeof(struct page *),
+ 		      GFP_KERNEL);
+ 	if (!stt)
+-		goto fail;
++		return ret;
+ 
+ 	stt->liobn = args->liobn;
+ 	stt->window_size = args->window_size;
+@@ -128,23 +123,36 @@ long kvm_vm_ioctl_create_spapr_tce(struct kvm *kvm,
+ 			goto fail;
+ 	}
+ 
+-	kvm_get_kvm(kvm);
+-
+ 	mutex_lock(&kvm->lock);
+-	list_add(&stt->list, &kvm->arch.spapr_tce_tables);
++
++	/* Check this LIOBN hasn't been previously allocated */
++	ret = 0;
++	list_for_each_entry(siter, &kvm->arch.spapr_tce_tables, list) {
++		if (siter->liobn == args->liobn) {
++			ret = -EBUSY;
++			break;
++		}
++	}
++
++	if (!ret)
++		ret = anon_inode_getfd("kvm-spapr-tce", &kvm_spapr_tce_fops,
++				       stt, O_RDWR | O_CLOEXEC);
++
++	if (ret >= 0) {
++		list_add(&stt->list, &kvm->arch.spapr_tce_tables);
++		kvm_get_kvm(kvm);
++	}
+ 
+ 	mutex_unlock(&kvm->lock);
+ 
+-	return anon_inode_getfd("kvm-spapr-tce", &kvm_spapr_tce_fops,
+-				stt, O_RDWR | O_CLOEXEC);
++	if (ret >= 0)
++		return ret;
+ 
+-fail:
+-	if (stt) {
+-		for (i = 0; i < npages; i++)
+-			if (stt->pages[i])
+-				__free_page(stt->pages[i]);
++ fail:
++	for (i = 0; i < npages; i++)
++		if (stt->pages[i])
++			__free_page(stt->pages[i]);
+ 
+-		kfree(stt);
+-	}
++	kfree(stt);
+ 	return ret;
+ }
+diff --git a/arch/powerpc/platforms/pseries/mobility.c b/arch/powerpc/platforms/pseries/mobility.c
+index ceb18d349459..8dd0c8edefd6 100644
+--- a/arch/powerpc/platforms/pseries/mobility.c
++++ b/arch/powerpc/platforms/pseries/mobility.c
+@@ -225,8 +225,10 @@ static int add_dt_node(__be32 parent_phandle, __be32 drc_index)
+ 		return -ENOENT;
+ 
+ 	dn = dlpar_configure_connector(drc_index, parent_dn);
+-	if (!dn)
++	if (!dn) {
++		of_node_put(parent_dn);
+ 		return -ENOENT;
++	}
+ 
+ 	rc = dlpar_attach_node(dn);
+ 	if (rc)
+diff --git a/arch/x86/kernel/fpu/regset.c b/arch/x86/kernel/fpu/regset.c
+index 0bc3490420c5..72a483c295f2 100644
+--- a/arch/x86/kernel/fpu/regset.c
++++ b/arch/x86/kernel/fpu/regset.c
+@@ -116,6 +116,11 @@ int xstateregs_set(struct task_struct *target, const struct user_regset *regset,
+ 	xsave = &fpu->state.xsave;
+ 
+ 	ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, xsave, 0, -1);
++
++	/* xcomp_bv must be 0 when using uncompacted format */
++	if (!ret && xsave->header.xcomp_bv)
++		ret = -EINVAL;
++
+ 	/*
+ 	 * mxcsr reserved bits must be masked to zero for security reasons.
+ 	 */
+@@ -126,6 +131,12 @@ int xstateregs_set(struct task_struct *target, const struct user_regset *regset,
+ 	 */
+ 	memset(&xsave->header.reserved, 0, 48);
+ 
++	/*
++	 * In case of failure, mark all states as init:
++	 */
++	if (ret)
++		fpstate_init(&fpu->state);
++
+ 	return ret;
+ }
+ 
+diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c
+index 31c6a60505e6..3de077116218 100644
+--- a/arch/x86/kernel/fpu/signal.c
++++ b/arch/x86/kernel/fpu/signal.c
+@@ -309,7 +309,9 @@ static int __fpu__restore_sig(void __user *buf, void __user *buf_fx, int size)
+ 		fpu__drop(fpu);
+ 
+ 		if (__copy_from_user(&fpu->state.xsave, buf_fx, state_size) ||
+-		    __copy_from_user(&env, buf, sizeof(env))) {
++		    __copy_from_user(&env, buf, sizeof(env)) ||
++		    (state_size > offsetof(struct xregs_state, header) &&
++		     fpu->state.xsave.header.xcomp_bv)) {
+ 			fpstate_init(&fpu->state);
+ 			err = -1;
+ 		} else {
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index b12391119ce8..a018dff00808 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -2029,8 +2029,8 @@ static void vmx_vcpu_pi_load(struct kvm_vcpu *vcpu, int cpu)
+ 
+ 		/* Allow posting non-urgent interrupts */
+ 		new.sn = 0;
+-	} while (cmpxchg(&pi_desc->control, old.control,
+-			new.control) != old.control);
++	} while (cmpxchg64(&pi_desc->control, old.control,
++			   new.control) != old.control);
+ }
+ /*
+  * Switches to specified vcpu, until a matching vcpu_put(), but assumes
+@@ -4541,21 +4541,30 @@ static inline bool kvm_vcpu_trigger_posted_interrupt(struct kvm_vcpu *vcpu)
+ {
+ #ifdef CONFIG_SMP
+ 	if (vcpu->mode == IN_GUEST_MODE) {
+-		struct vcpu_vmx *vmx = to_vmx(vcpu);
+-
+ 		/*
+-		 * Currently, we don't support urgent interrupt,
+-		 * all interrupts are recognized as non-urgent
+-		 * interrupt, so we cannot post interrupts when
+-		 * 'SN' is set.
++		 * The vector of interrupt to be delivered to vcpu had
++		 * been set in PIR before this function.
++		 *
++		 * Following cases will be reached in this block, and
++		 * we always send a notification event in all cases as
++		 * explained below.
+ 		 *
+-		 * If the vcpu is in guest mode, it means it is
+-		 * running instead of being scheduled out and
+-		 * waiting in the run queue, and that's the only
+-		 * case when 'SN' is set currently, warning if
+-		 * 'SN' is set.
++		 * Case 1: vcpu keeps in non-root mode. Sending a
++		 * notification event posts the interrupt to vcpu.
++		 *
++		 * Case 2: vcpu exits to root mode and is still
++		 * runnable. PIR will be synced to vIRR before the
++		 * next vcpu entry. Sending a notification event in
++		 * this case has no effect, as vcpu is not in root
++		 * mode.
++		 *
++		 * Case 3: vcpu exits to root mode and is blocked.
++		 * vcpu_block() has already synced PIR to vIRR and
++		 * never blocks vcpu if vIRR is not cleared. Therefore,
++		 * a blocked vcpu here does not wait for any requested
++		 * interrupts in PIR, and sending a notification event
++		 * which has no effect is safe here.
+ 		 */
+-		WARN_ON_ONCE(pi_test_sn(&vmx->pi_desc));
+ 
+ 		apic->send_IPI_mask(get_cpu_mask(vcpu->cpu),
+ 				POSTED_INTR_VECTOR);
+@@ -9683,6 +9692,11 @@ static void prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
+ 		vmcs_write64(VIRTUAL_APIC_PAGE_ADDR,
+ 				page_to_phys(vmx->nested.virtual_apic_page));
+ 		vmcs_write32(TPR_THRESHOLD, vmcs12->tpr_threshold);
++	} else {
++#ifdef CONFIG_X86_64
++		exec_control |= CPU_BASED_CR8_LOAD_EXITING |
++				CPU_BASED_CR8_STORE_EXITING;
++#endif
+ 	}
+ 
+ 	if (cpu_has_vmx_msr_bitmap() &&
+@@ -10691,8 +10705,8 @@ static int vmx_pre_block(struct kvm_vcpu *vcpu)
+ 
+ 		/* set 'NV' to 'wakeup vector' */
+ 		new.nv = POSTED_INTR_WAKEUP_VECTOR;
+-	} while (cmpxchg(&pi_desc->control, old.control,
+-			new.control) != old.control);
++	} while (cmpxchg64(&pi_desc->control, old.control,
++			   new.control) != old.control);
+ 
+ 	return 0;
+ }
+@@ -10723,8 +10737,8 @@ static void vmx_post_block(struct kvm_vcpu *vcpu)
+ 
+ 		/* set 'NV' to 'notification vector' */
+ 		new.nv = POSTED_INTR_VECTOR;
+-	} while (cmpxchg(&pi_desc->control, old.control,
+-			new.control) != old.control);
++	} while (cmpxchg64(&pi_desc->control, old.control,
++			   new.control) != old.control);
+ 
+ 	if(vcpu->pre_pcpu != -1) {
+ 		spin_lock_irqsave(
+@@ -10755,7 +10769,7 @@ static int vmx_update_pi_irte(struct kvm *kvm, unsigned int host_irq,
+ 	struct kvm_lapic_irq irq;
+ 	struct kvm_vcpu *vcpu;
+ 	struct vcpu_data vcpu_info;
+-	int idx, ret = -EINVAL;
++	int idx, ret = 0;
+ 
+ 	if (!kvm_arch_has_assigned_device(kvm) ||
+ 		!irq_remapping_cap(IRQ_POSTING_CAP))
+@@ -10763,7 +10777,12 @@ static int vmx_update_pi_irte(struct kvm *kvm, unsigned int host_irq,
+ 
+ 	idx = srcu_read_lock(&kvm->irq_srcu);
+ 	irq_rt = srcu_dereference(kvm->irq_routing, &kvm->irq_srcu);
+-	BUG_ON(guest_irq >= irq_rt->nr_rt_entries);
++	if (guest_irq >= irq_rt->nr_rt_entries ||
++	    hlist_empty(&irq_rt->map[guest_irq])) {
++		pr_warn_once("no route for guest_irq %u/%u (broken user space?)\n",
++			     guest_irq, irq_rt->nr_rt_entries);
++		goto out;
++	}
+ 
+ 	hlist_for_each_entry(e, &irq_rt->map[guest_irq], link) {
+ 		if (e->type != KVM_IRQ_ROUTING_MSI)
+@@ -10793,12 +10812,8 @@ static int vmx_update_pi_irte(struct kvm *kvm, unsigned int host_irq,
+ 
+ 		if (set)
+ 			ret = irq_set_vcpu_affinity(host_irq, &vcpu_info);
+-		else {
+-			/* suppress notification event before unposting */
+-			pi_set_sn(vcpu_to_pi_desc(vcpu));
++		else
+ 			ret = irq_set_vcpu_affinity(host_irq, NULL);
+-			pi_clear_sn(vcpu_to_pi_desc(vcpu));
+-		}
+ 
+ 		if (ret < 0) {
+ 			printk(KERN_INFO "%s: failed to update PI IRTE\n",
+diff --git a/block/bsg-lib.c b/block/bsg-lib.c
+index 650f427d915b..341b8d858e67 100644
+--- a/block/bsg-lib.c
++++ b/block/bsg-lib.c
+@@ -147,7 +147,6 @@ static int bsg_create_job(struct device *dev, struct request *req)
+ failjob_rls_rqst_payload:
+ 	kfree(job->request_payload.sg_list);
+ failjob_rls_job:
+-	kfree(job);
+ 	return -ENOMEM;
+ }
+ 
+diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c
+index 6a60936b46e0..62ce93568e11 100644
+--- a/drivers/crypto/talitos.c
++++ b/drivers/crypto/talitos.c
+@@ -1749,9 +1749,9 @@ static int common_nonsnoop_hash(struct talitos_edesc *edesc,
+ 		req_ctx->swinit = 0;
+ 	} else {
+ 		desc->ptr[1] = zero_entry;
+-		/* Indicate next op is not the first. */
+-		req_ctx->first = 0;
+ 	}
++	/* Indicate next op is not the first. */
++	req_ctx->first = 0;
+ 
+ 	/* HMAC key */
+ 	if (ctx->keylen)
+@@ -2770,7 +2770,8 @@ static struct talitos_crypto_alg *talitos_alg_alloc(struct device *dev,
+ 		t_alg->algt.alg.hash.final = ahash_final;
+ 		t_alg->algt.alg.hash.finup = ahash_finup;
+ 		t_alg->algt.alg.hash.digest = ahash_digest;
+-		t_alg->algt.alg.hash.setkey = ahash_setkey;
++		if (!strncmp(alg->cra_name, "hmac", 4))
++			t_alg->algt.alg.hash.setkey = ahash_setkey;
+ 		t_alg->algt.alg.hash.import = ahash_import;
+ 		t_alg->algt.alg.hash.export = ahash_export;
+ 
+diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
+index 5eac08ffc697..d55bf85b76ce 100644
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -818,6 +818,14 @@ static void stripe_add_to_batch_list(struct r5conf *conf, struct stripe_head *sh
+ 			spin_unlock(&head->batch_head->batch_lock);
+ 			goto unlock_out;
+ 		}
++		/*
++		 * We must assign batch_head of this stripe within the
++		 * batch_lock, otherwise clear_batch_ready of batch head
++		 * stripe could clear BATCH_READY bit of this stripe and
++		 * this stripe->batch_head doesn't get assigned, which
++		 * could confuse clear_batch_ready for this stripe
++		 */
++		sh->batch_head = head->batch_head;
+ 
+ 		/*
+ 		 * at this point, head's BATCH_READY could be cleared, but we
+@@ -825,8 +833,6 @@ static void stripe_add_to_batch_list(struct r5conf *conf, struct stripe_head *sh
+ 		 */
+ 		list_add(&sh->batch_list, &head->batch_list);
+ 		spin_unlock(&head->batch_head->batch_lock);
+-
+-		sh->batch_head = head->batch_head;
+ 	} else {
+ 		head->batch_head = head;
+ 		sh->batch_head = head->batch_head;
+@@ -4258,7 +4264,8 @@ static void break_stripe_batch_list(struct stripe_head *head_sh,
+ 
+ 		set_mask_bits(&sh->state, ~(STRIPE_EXPAND_SYNC_FLAGS |
+ 					    (1 << STRIPE_PREREAD_ACTIVE) |
+-					    (1 << STRIPE_DEGRADED)),
++					    (1 << STRIPE_DEGRADED) |
++					    (1 << STRIPE_ON_UNPLUG_LIST)),
+ 			      head_sh->state & (1 << STRIPE_INSYNC));
+ 
+ 		sh->check_state = head_sh->check_state;
+diff --git a/drivers/misc/cxl/api.c b/drivers/misc/cxl/api.c
+index ea3eeb7011e1..690eb1a18caf 100644
+--- a/drivers/misc/cxl/api.c
++++ b/drivers/misc/cxl/api.c
+@@ -176,6 +176,10 @@ int cxl_start_context(struct cxl_context *ctx, u64 wed,
+ 		kernel = false;
+ 	}
+ 
++	/*
++	 * Increment driver use count. Enables global TLBIs for hash
++	 * and callbacks to handle the segment table
++	 */
+ 	cxl_ctx_get();
+ 
+ 	if ((rc = cxl_attach_process(ctx, kernel, wed , 0))) {
+diff --git a/drivers/misc/cxl/file.c b/drivers/misc/cxl/file.c
+index 10a02934bfc0..013558f4da4f 100644
+--- a/drivers/misc/cxl/file.c
++++ b/drivers/misc/cxl/file.c
+@@ -94,7 +94,6 @@ static int __afu_open(struct inode *inode, struct file *file, bool master)
+ 
+ 	pr_devel("afu_open pe: %i\n", ctx->pe);
+ 	file->private_data = ctx;
+-	cxl_ctx_get();
+ 
+ 	/* indicate success */
+ 	rc = 0;
+@@ -205,11 +204,18 @@ static long afu_ioctl_start_work(struct cxl_context *ctx,
+ 	ctx->pid = get_task_pid(current, PIDTYPE_PID);
+ 	ctx->glpid = get_task_pid(current->group_leader, PIDTYPE_PID);
+ 
++	/*
++	 * Increment driver use count. Enables global TLBIs for hash
++	 * and callbacks to handle the segment table
++	 */
++	cxl_ctx_get();
++
+ 	trace_cxl_attach(ctx, work.work_element_descriptor, work.num_interrupts, amr);
+ 
+ 	if ((rc = cxl_attach_process(ctx, false, work.work_element_descriptor,
+ 				     amr))) {
+ 		afu_release_irqs(ctx, ctx);
++		cxl_ctx_put();
+ 		goto out;
+ 	}
+ 
+diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
+index f8b2b5987ea9..ec91cd17bf34 100644
+--- a/drivers/pci/pci-sysfs.c
++++ b/drivers/pci/pci-sysfs.c
+@@ -522,7 +522,7 @@ static ssize_t driver_override_store(struct device *dev,
+ 				     const char *buf, size_t count)
+ {
+ 	struct pci_dev *pdev = to_pci_dev(dev);
+-	char *driver_override, *old = pdev->driver_override, *cp;
++	char *driver_override, *old, *cp;
+ 
+ 	/* We need to keep extra room for a newline */
+ 	if (count >= (PAGE_SIZE - 1))
+@@ -536,12 +536,15 @@ static ssize_t driver_override_store(struct device *dev,
+ 	if (cp)
+ 		*cp = '\0';
+ 
++	device_lock(dev);
++	old = pdev->driver_override;
+ 	if (strlen(driver_override)) {
+ 		pdev->driver_override = driver_override;
+ 	} else {
+ 		kfree(driver_override);
+ 		pdev->driver_override = NULL;
+ 	}
++	device_unlock(dev);
+ 
+ 	kfree(old);
+ 
+@@ -552,8 +555,12 @@ static ssize_t driver_override_show(struct device *dev,
+ 				    struct device_attribute *attr, char *buf)
+ {
+ 	struct pci_dev *pdev = to_pci_dev(dev);
++	ssize_t len;
+ 
+-	return snprintf(buf, PAGE_SIZE, "%s\n", pdev->driver_override);
++	device_lock(dev);
++	len = snprintf(buf, PAGE_SIZE, "%s\n", pdev->driver_override);
++	device_unlock(dev);
++	return len;
+ }
+ static DEVICE_ATTR_RW(driver_override);
+ 
+diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
+index e4b3d8f4fd85..bb4ed7b1f5df 100644
+--- a/drivers/scsi/scsi_transport_iscsi.c
++++ b/drivers/scsi/scsi_transport_iscsi.c
+@@ -3697,7 +3697,7 @@ iscsi_if_rx(struct sk_buff *skb)
+ 		uint32_t group;
+ 
+ 		nlh = nlmsg_hdr(skb);
+-		if (nlh->nlmsg_len < sizeof(*nlh) ||
++		if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) ||
+ 		    skb->len < nlh->nlmsg_len) {
+ 			break;
+ 		}
+diff --git a/drivers/video/fbdev/aty/atyfb_base.c b/drivers/video/fbdev/aty/atyfb_base.c
+index f34ed47fcaf8..7f658fa4d22a 100644
+--- a/drivers/video/fbdev/aty/atyfb_base.c
++++ b/drivers/video/fbdev/aty/atyfb_base.c
+@@ -1861,7 +1861,7 @@ static int atyfb_ioctl(struct fb_info *info, u_int cmd, u_long arg)
+ #if defined(DEBUG) && defined(CONFIG_FB_ATY_CT)
+ 	case ATYIO_CLKR:
+ 		if (M64_HAS(INTEGRATED)) {
+-			struct atyclk clk;
++			struct atyclk clk = { 0 };
+ 			union aty_pll *pll = &par->pll;
+ 			u32 dsp_config = pll->ct.dsp_config;
+ 			u32 dsp_on_off = pll->ct.dsp_on_off;
+diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c
+index 8a58bbc14de2..f7b19c25c3a4 100644
+--- a/drivers/xen/swiotlb-xen.c
++++ b/drivers/xen/swiotlb-xen.c
+@@ -680,3 +680,22 @@ xen_swiotlb_set_dma_mask(struct device *dev, u64 dma_mask)
+ 	return 0;
+ }
+ EXPORT_SYMBOL_GPL(xen_swiotlb_set_dma_mask);
++
++/*
++ * Create userspace mapping for the DMA-coherent memory.
++ * This function should be called with the pages from the current domain only,
++ * passing pages mapped from other domains would lead to memory corruption.
++ */
++int
++xen_swiotlb_dma_mmap(struct device *dev, struct vm_area_struct *vma,
++		     void *cpu_addr, dma_addr_t dma_addr, size_t size,
++		     struct dma_attrs *attrs)
++{
++#if defined(CONFIG_ARM) || defined(CONFIG_ARM64)
++	if (__generic_dma_ops(dev)->mmap)
++		return __generic_dma_ops(dev)->mmap(dev, vma, cpu_addr,
++						    dma_addr, size, attrs);
++#endif
++	return dma_common_mmap(dev, vma, cpu_addr, dma_addr, size);
++}
++EXPORT_SYMBOL_GPL(xen_swiotlb_dma_mmap);
+diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
+index 317b99acdf4b..9c3b9d07f341 100644
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -2984,7 +2984,7 @@ static int btrfs_cmp_data_prepare(struct inode *src, u64 loff,
+ out:
+ 	if (ret)
+ 		btrfs_cmp_data_free(cmp);
+-	return 0;
++	return ret;
+ }
+ 
+ static int btrfs_cmp_data(struct inode *src, u64 loff, struct inode *dst,
+@@ -4118,6 +4118,10 @@ static long btrfs_ioctl_default_subvol(struct file *file, void __user *argp)
+ 		ret = PTR_ERR(new_root);
+ 		goto out;
+ 	}
++	if (!is_fstree(new_root->objectid)) {
++		ret = -ENOENT;
++		goto out;
++	}
+ 
+ 	path = btrfs_alloc_path();
+ 	if (!path) {
+diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
+index 8ca9aa92972d..9ebe027cc4b7 100644
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -2350,11 +2350,11 @@ void free_reloc_roots(struct list_head *list)
+ 	while (!list_empty(list)) {
+ 		reloc_root = list_entry(list->next, struct btrfs_root,
+ 					root_list);
++		__del_reloc_root(reloc_root);
+ 		free_extent_buffer(reloc_root->node);
+ 		free_extent_buffer(reloc_root->commit_root);
+ 		reloc_root->node = NULL;
+ 		reloc_root->commit_root = NULL;
+-		__del_reloc_root(reloc_root);
+ 	}
+ }
+ 
+diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
+index 53a827c6d8b1..b377aa8f266f 100644
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -4060,6 +4060,14 @@ cifs_setup_session(const unsigned int xid, struct cifs_ses *ses,
+ 	cifs_dbg(FYI, "Security Mode: 0x%x Capabilities: 0x%x TimeAdjust: %d\n",
+ 		 server->sec_mode, server->capabilities, server->timeAdj);
+ 
++	if (ses->auth_key.response) {
++		cifs_dbg(VFS, "Free previous auth_key.response = %p\n",
++			 ses->auth_key.response);
++		kfree(ses->auth_key.response);
++		ses->auth_key.response = NULL;
++		ses->auth_key.len = 0;
++	}
++
+ 	if (server->ops->sess_setup)
+ 		rc = server->ops->sess_setup(xid, ses, nls_info);
+ 
+diff --git a/fs/cifs/file.c b/fs/cifs/file.c
+index a0c0a49b6620..ec2d07bb9beb 100644
+--- a/fs/cifs/file.c
++++ b/fs/cifs/file.c
+@@ -224,6 +224,13 @@ cifs_nt_open(char *full_path, struct inode *inode, struct cifs_sb_info *cifs_sb,
+ 	if (backup_cred(cifs_sb))
+ 		create_options |= CREATE_OPEN_BACKUP_INTENT;
+ 
++	/* O_SYNC also has bit for O_DSYNC so following check picks up either */
++	if (f_flags & O_SYNC)
++		create_options |= CREATE_WRITE_THROUGH;
++
++	if (f_flags & O_DIRECT)
++		create_options |= CREATE_NO_BUFFER;
++
+ 	oparms.tcon = tcon;
+ 	oparms.cifs_sb = cifs_sb;
+ 	oparms.desired_access = desired_access;
+diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
+index 6c484ddf26a9..f2ff60e58ec8 100644
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -361,7 +361,7 @@ assemble_neg_contexts(struct smb2_negotiate_req *req)
+ 	build_encrypt_ctxt((struct smb2_encryption_neg_context *)pneg_ctxt);
+ 	req->NegotiateContextOffset = cpu_to_le32(OFFSET_OF_NEG_CONTEXT);
+ 	req->NegotiateContextCount = cpu_to_le16(2);
+-	inc_rfc1001_len(req, 4 + sizeof(struct smb2_preauth_neg_context) + 2
++	inc_rfc1001_len(req, 4 + sizeof(struct smb2_preauth_neg_context)
+ 			+ sizeof(struct smb2_encryption_neg_context)); /* calculate hash */
+ }
+ #else
+@@ -526,15 +526,22 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon)
+ 
+ 	/*
+ 	 * validation ioctl must be signed, so no point sending this if we
+-	 * can not sign it.  We could eventually change this to selectively
++	 * can not sign it (ie are not known user).  Even if signing is not
++	 * required (enabled but not negotiated), in those cases we selectively
+ 	 * sign just this, the first and only signed request on a connection.
+-	 * This is good enough for now since a user who wants better security
+-	 * would also enable signing on the mount. Having validation of
+-	 * negotiate info for signed connections helps reduce attack vectors
++	 * Having validation of negotiate info  helps reduce attack vectors.
+ 	 */
+-	if (tcon->ses->server->sign == false)
++	if (tcon->ses->session_flags & SMB2_SESSION_FLAG_IS_GUEST)
+ 		return 0; /* validation requires signing */
+ 
++	if (tcon->ses->user_name == NULL) {
++		cifs_dbg(FYI, "Can't validate negotiate: null user mount\n");
++		return 0; /* validation requires signing */
++	}
++
++	if (tcon->ses->session_flags & SMB2_SESSION_FLAG_IS_NULL)
++		cifs_dbg(VFS, "Unexpected null user (anonymous) auth flag sent by server\n");
++
+ 	vneg_inbuf.Capabilities =
+ 			cpu_to_le32(tcon->ses->server->vals->req_capabilities);
+ 	memcpy(vneg_inbuf.Guid, tcon->ses->server->client_guid,
+diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c
+index 070901e76653..ff36f5475d7e 100644
+--- a/fs/gfs2/glock.c
++++ b/fs/gfs2/glock.c
+@@ -1814,13 +1814,10 @@ static void *gfs2_glock_seq_start(struct seq_file *seq, loff_t *pos)
+ {
+ 	struct gfs2_glock_iter *gi = seq->private;
+ 	loff_t n = *pos;
+-	int ret;
+-
+-	if (gi->last_pos <= *pos)
+-		n = (*pos - gi->last_pos);
+ 
+-	ret = rhashtable_walk_start(&gi->hti);
+-	if (ret)
++	if (rhashtable_walk_init(&gl_hash_table, &gi->hti) != 0)
++		return NULL;
++	if (rhashtable_walk_start(&gi->hti) != 0)
+ 		return NULL;
+ 
+ 	do {
+@@ -1828,6 +1825,7 @@ static void *gfs2_glock_seq_start(struct seq_file *seq, loff_t *pos)
+ 	} while (gi->gl && n--);
+ 
+ 	gi->last_pos = *pos;
++
+ 	return gi->gl;
+ }
+ 
+@@ -1839,6 +1837,7 @@ static void *gfs2_glock_seq_next(struct seq_file *seq, void *iter_ptr,
+ 	(*pos)++;
+ 	gi->last_pos = *pos;
+ 	gfs2_glock_iter_next(gi);
++
+ 	return gi->gl;
+ }
+ 
+@@ -1847,7 +1846,10 @@ static void gfs2_glock_seq_stop(struct seq_file *seq, void *iter_ptr)
+ 	struct gfs2_glock_iter *gi = seq->private;
+ 
+ 	gi->gl = NULL;
+-	rhashtable_walk_stop(&gi->hti);
++	if (gi->hti.walker) {
++		rhashtable_walk_stop(&gi->hti);
++		rhashtable_walk_exit(&gi->hti);
++	}
+ }
+ 
+ static int gfs2_glock_seq_show(struct seq_file *seq, void *iter_ptr)
+@@ -1910,12 +1912,10 @@ static int gfs2_glocks_open(struct inode *inode, struct file *file)
+ 		struct gfs2_glock_iter *gi = seq->private;
+ 
+ 		gi->sdp = inode->i_private;
+-		gi->last_pos = 0;
+ 		seq->buf = kmalloc(GFS2_SEQ_GOODSIZE, GFP_KERNEL | __GFP_NOWARN);
+ 		if (seq->buf)
+ 			seq->size = GFS2_SEQ_GOODSIZE;
+ 		gi->gl = NULL;
+-		ret = rhashtable_walk_init(&gl_hash_table, &gi->hti);
+ 	}
+ 	return ret;
+ }
+@@ -1926,7 +1926,6 @@ static int gfs2_glocks_release(struct inode *inode, struct file *file)
+ 	struct gfs2_glock_iter *gi = seq->private;
+ 
+ 	gi->gl = NULL;
+-	rhashtable_walk_exit(&gi->hti);
+ 	return seq_release_private(inode, file);
+ }
+ 
+@@ -1938,12 +1937,10 @@ static int gfs2_glstats_open(struct inode *inode, struct file *file)
+ 		struct seq_file *seq = file->private_data;
+ 		struct gfs2_glock_iter *gi = seq->private;
+ 		gi->sdp = inode->i_private;
+-		gi->last_pos = 0;
+ 		seq->buf = kmalloc(GFS2_SEQ_GOODSIZE, GFP_KERNEL | __GFP_NOWARN);
+ 		if (seq->buf)
+ 			seq->size = GFS2_SEQ_GOODSIZE;
+ 		gi->gl = NULL;
+-		ret = rhashtable_walk_init(&gl_hash_table, &gi->hti);
+ 	}
+ 	return ret;
+ }
+diff --git a/fs/read_write.c b/fs/read_write.c
+index 819ef3faf1bb..bfd1a5dddf6e 100644
+--- a/fs/read_write.c
++++ b/fs/read_write.c
+@@ -112,7 +112,7 @@ generic_file_llseek_size(struct file *file, loff_t offset, int whence,
+ 		 * In the generic case the entire file is data, so as long as
+ 		 * offset isn't at the end of the file then the offset is data.
+ 		 */
+-		if (offset >= eof)
++		if ((unsigned long long)offset >= eof)
+ 			return -ENXIO;
+ 		break;
+ 	case SEEK_HOLE:
+@@ -120,7 +120,7 @@ generic_file_llseek_size(struct file *file, loff_t offset, int whence,
+ 		 * There is a virtual hole at the end of the file, so as long as
+ 		 * offset isn't i_size or larger, return i_size.
+ 		 */
+-		if (offset >= eof)
++		if ((unsigned long long)offset >= eof)
+ 			return -ENXIO;
+ 		offset = eof;
+ 		break;
+diff --git a/include/linux/key.h b/include/linux/key.h
+index 66f705243985..dcc115e8dd03 100644
+--- a/include/linux/key.h
++++ b/include/linux/key.h
+@@ -177,6 +177,7 @@ struct key {
+ #define KEY_FLAG_TRUSTED_ONLY	9	/* set if keyring only accepts links to trusted keys */
+ #define KEY_FLAG_BUILTIN	10	/* set if key is builtin */
+ #define KEY_FLAG_ROOT_CAN_INVAL	11	/* set if key can be invalidated by root without permission */
++#define KEY_FLAG_UID_KEYRING	12	/* set if key is a user or user session keyring */
+ 
+ 	/* the key type and key description string
+ 	 * - the desc is used to match a key against search criteria
+@@ -218,6 +219,7 @@ extern struct key *key_alloc(struct key_type *type,
+ #define KEY_ALLOC_QUOTA_OVERRUN	0x0001	/* add to quota, permit even if overrun */
+ #define KEY_ALLOC_NOT_IN_QUOTA	0x0002	/* not in quota */
+ #define KEY_ALLOC_TRUSTED	0x0004	/* Key should be flagged as trusted */
++#define KEY_ALLOC_UID_KEYRING	0x0010	/* allocating a user or user session keyring */
+ 
+ extern void key_revoke(struct key *key);
+ extern void key_invalidate(struct key *key);
+diff --git a/include/linux/platform_data/mmp_dma.h b/include/linux/platform_data/mmp_dma.h
+index 2a330ec9e2af..d1397c8ed94e 100644
+--- a/include/linux/platform_data/mmp_dma.h
++++ b/include/linux/platform_data/mmp_dma.h
+@@ -14,6 +14,7 @@
+ 
+ struct mmp_dma_platdata {
+ 	int dma_channels;
++	int nb_requestors;
+ };
+ 
+ #endif /* MMP_DMA_H */
+diff --git a/include/xen/swiotlb-xen.h b/include/xen/swiotlb-xen.h
+index 8b2eb93ae8ba..4d7fdbf20eff 100644
+--- a/include/xen/swiotlb-xen.h
++++ b/include/xen/swiotlb-xen.h
+@@ -58,4 +58,9 @@ xen_swiotlb_dma_supported(struct device *hwdev, u64 mask);
+ 
+ extern int
+ xen_swiotlb_set_dma_mask(struct device *dev, u64 dma_mask);
++
++extern int
++xen_swiotlb_dma_mmap(struct device *dev, struct vm_area_struct *vma,
++		     void *cpu_addr, dma_addr_t dma_addr, size_t size,
++		     struct dma_attrs *attrs);
+ #endif /* __LINUX_SWIOTLB_XEN_H */
+diff --git a/kernel/seccomp.c b/kernel/seccomp.c
+index 15a1795bbba1..efd384f3f852 100644
+--- a/kernel/seccomp.c
++++ b/kernel/seccomp.c
+@@ -457,14 +457,19 @@ static long seccomp_attach_filter(unsigned int flags,
+ 	return 0;
+ }
+ 
++void __get_seccomp_filter(struct seccomp_filter *filter)
++{
++	/* Reference count is bounded by the number of total processes. */
++	atomic_inc(&filter->usage);
++}
++
+ /* get_seccomp_filter - increments the reference count of the filter on @tsk */
+ void get_seccomp_filter(struct task_struct *tsk)
+ {
+ 	struct seccomp_filter *orig = tsk->seccomp.filter;
+ 	if (!orig)
+ 		return;
+-	/* Reference count is bounded by the number of total processes. */
+-	atomic_inc(&orig->usage);
++	__get_seccomp_filter(orig);
+ }
+ 
+ static inline void seccomp_filter_free(struct seccomp_filter *filter)
+@@ -475,10 +480,8 @@ static inline void seccomp_filter_free(struct seccomp_filter *filter)
+ 	}
+ }
+ 
+-/* put_seccomp_filter - decrements the ref count of tsk->seccomp.filter */
+-void put_seccomp_filter(struct task_struct *tsk)
++static void __put_seccomp_filter(struct seccomp_filter *orig)
+ {
+-	struct seccomp_filter *orig = tsk->seccomp.filter;
+ 	/* Clean up single-reference branches iteratively. */
+ 	while (orig && atomic_dec_and_test(&orig->usage)) {
+ 		struct seccomp_filter *freeme = orig;
+@@ -487,6 +490,12 @@ void put_seccomp_filter(struct task_struct *tsk)
+ 	}
+ }
+ 
++/* put_seccomp_filter - decrements the ref count of tsk->seccomp.filter */
++void put_seccomp_filter(struct task_struct *tsk)
++{
++	__put_seccomp_filter(tsk->seccomp.filter);
++}
++
+ /**
+  * seccomp_send_sigsys - signals the task to allow in-process syscall emulation
+  * @syscall: syscall number to send to userland
+@@ -927,13 +936,13 @@ long seccomp_get_filter(struct task_struct *task, unsigned long filter_off,
+ 	if (!data)
+ 		goto out;
+ 
+-	get_seccomp_filter(task);
++	__get_seccomp_filter(filter);
+ 	spin_unlock_irq(&task->sighand->siglock);
+ 
+ 	if (copy_to_user(data, fprog->filter, bpf_classic_proglen(fprog)))
+ 		ret = -EFAULT;
+ 
+-	put_seccomp_filter(task);
++	__put_seccomp_filter(filter);
+ 	return ret;
+ 
+ out:
+diff --git a/kernel/sysctl.c b/kernel/sysctl.c
+index 002ec084124b..17c59e78661b 100644
+--- a/kernel/sysctl.c
++++ b/kernel/sysctl.c
+@@ -1159,6 +1159,8 @@ static struct ctl_table kern_table[] = {
+ 		.maxlen		= sizeof(unsigned int),
+ 		.mode		= 0644,
+ 		.proc_handler	= timer_migration_handler,
++		.extra1		= &zero,
++		.extra2		= &one,
+ 	},
+ #endif
+ #ifdef CONFIG_BPF_SYSCALL
+diff --git a/kernel/time/timer.c b/kernel/time/timer.c
+index bbc5d1114583..125407144c01 100644
+--- a/kernel/time/timer.c
++++ b/kernel/time/timer.c
+@@ -127,7 +127,7 @@ int timer_migration_handler(struct ctl_table *table, int write,
+ 	int ret;
+ 
+ 	mutex_lock(&mutex);
+-	ret = proc_dointvec(table, write, buffer, lenp, ppos);
++	ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
+ 	if (!ret && write)
+ 		timers_update_migration(false);
+ 	mutex_unlock(&mutex);
+diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
+index 4743066010c4..b64f35afee4e 100644
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -3226,11 +3226,17 @@ static int tracing_open(struct inode *inode, struct file *file)
+ 	/* If this file was open for write, then erase contents */
+ 	if ((file->f_mode & FMODE_WRITE) && (file->f_flags & O_TRUNC)) {
+ 		int cpu = tracing_get_cpu(inode);
++		struct trace_buffer *trace_buf = &tr->trace_buffer;
++
++#ifdef CONFIG_TRACER_MAX_TRACE
++		if (tr->current_trace->print_max)
++			trace_buf = &tr->max_buffer;
++#endif
+ 
+ 		if (cpu == RING_BUFFER_ALL_CPUS)
+-			tracing_reset_online_cpus(&tr->trace_buffer);
++			tracing_reset_online_cpus(trace_buf);
+ 		else
+-			tracing_reset(&tr->trace_buffer, cpu);
++			tracing_reset(trace_buf, cpu);
+ 	}
+ 
+ 	if (file->f_mode & FMODE_READ) {
+@@ -4701,7 +4707,7 @@ static int tracing_wait_pipe(struct file *filp)
+ 		 *
+ 		 * iter->pos will be 0 if we haven't read anything.
+ 		 */
+-		if (!tracing_is_on() && iter->pos)
++		if (!tracer_tracing_is_on(iter->tr) && iter->pos)
+ 			break;
+ 
+ 		mutex_unlock(&iter->mutex);
+diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c
+index 04401037140e..b6be51940ead 100644
+--- a/net/mac80211/offchannel.c
++++ b/net/mac80211/offchannel.c
+@@ -469,6 +469,8 @@ void ieee80211_roc_purge(struct ieee80211_local *local,
+ 	struct ieee80211_roc_work *roc, *tmp;
+ 	LIST_HEAD(tmp_list);
+ 
++	flush_work(&local->hw_roc_start);
++
+ 	mutex_lock(&local->mtx);
+ 	list_for_each_entry_safe(roc, tmp, &local->roc_list, list) {
+ 		if (sdata && roc->sdata != sdata)
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index de10e3c0e2a4..8ece212aa3d2 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -9786,6 +9786,9 @@ static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
+ 	if (err)
+ 		return err;
+ 
++	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
++	    !tb[NL80211_REKEY_DATA_KCK])
++		return -EINVAL;
+ 	if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
+ 		return -ERANGE;
+ 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
+diff --git a/security/keys/internal.h b/security/keys/internal.h
+index 5105c2c2da75..51ffb9cde073 100644
+--- a/security/keys/internal.h
++++ b/security/keys/internal.h
+@@ -136,7 +136,7 @@ extern key_ref_t keyring_search_aux(key_ref_t keyring_ref,
+ extern key_ref_t search_my_process_keyrings(struct keyring_search_context *ctx);
+ extern key_ref_t search_process_keyrings(struct keyring_search_context *ctx);
+ 
+-extern struct key *find_keyring_by_name(const char *name, bool skip_perm_check);
++extern struct key *find_keyring_by_name(const char *name, bool uid_keyring);
+ 
+ extern int install_user_keyrings(void);
+ extern int install_thread_keyring_to_cred(struct cred *);
+diff --git a/security/keys/key.c b/security/keys/key.c
+index 09c10b181881..51d23c623424 100644
+--- a/security/keys/key.c
++++ b/security/keys/key.c
+@@ -296,6 +296,8 @@ struct key *key_alloc(struct key_type *type, const char *desc,
+ 		key->flags |= 1 << KEY_FLAG_IN_QUOTA;
+ 	if (flags & KEY_ALLOC_TRUSTED)
+ 		key->flags |= 1 << KEY_FLAG_TRUSTED;
++	if (flags & KEY_ALLOC_UID_KEYRING)
++		key->flags |= 1 << KEY_FLAG_UID_KEYRING;
+ 
+ #ifdef KEY_DEBUGGING
+ 	key->magic = KEY_DEBUG_MAGIC;
+diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
+index 671709d8610d..a009dc66eb8f 100644
+--- a/security/keys/keyctl.c
++++ b/security/keys/keyctl.c
+@@ -738,6 +738,11 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
+ 
+ 	key = key_ref_to_ptr(key_ref);
+ 
++	if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) {
++		ret = -ENOKEY;
++		goto error2;
++	}
++
+ 	/* see if we can read it directly */
+ 	ret = key_permission(key_ref, KEY_NEED_READ);
+ 	if (ret == 0)
+diff --git a/security/keys/keyring.c b/security/keys/keyring.c
+index f931ccfeefb0..0c8dd4fbe130 100644
+--- a/security/keys/keyring.c
++++ b/security/keys/keyring.c
+@@ -416,7 +416,7 @@ static void keyring_describe(const struct key *keyring, struct seq_file *m)
+ }
+ 
+ struct keyring_read_iterator_context {
+-	size_t			qty;
++	size_t			buflen;
+ 	size_t			count;
+ 	key_serial_t __user	*buffer;
+ };
+@@ -428,9 +428,9 @@ static int keyring_read_iterator(const void *object, void *data)
+ 	int ret;
+ 
+ 	kenter("{%s,%d},,{%zu/%zu}",
+-	       key->type->name, key->serial, ctx->count, ctx->qty);
++	       key->type->name, key->serial, ctx->count, ctx->buflen);
+ 
+-	if (ctx->count >= ctx->qty)
++	if (ctx->count >= ctx->buflen)
+ 		return 1;
+ 
+ 	ret = put_user(key->serial, ctx->buffer);
+@@ -465,16 +465,12 @@ static long keyring_read(const struct key *keyring,
+ 		return 0;
+ 
+ 	/* Calculate how much data we could return */
+-	ctx.qty = nr_keys * sizeof(key_serial_t);
+-
+ 	if (!buffer || !buflen)
+-		return ctx.qty;
+-
+-	if (buflen > ctx.qty)
+-		ctx.qty = buflen;
++		return nr_keys * sizeof(key_serial_t);
+ 
+ 	/* Copy the IDs of the subscribed keys into the buffer */
+ 	ctx.buffer = (key_serial_t __user *)buffer;
++	ctx.buflen = buflen;
+ 	ctx.count = 0;
+ 	ret = assoc_array_iterate(&keyring->keys, keyring_read_iterator, &ctx);
+ 	if (ret < 0) {
+@@ -965,15 +961,15 @@ found:
+ /*
+  * Find a keyring with the specified name.
+  *
+- * All named keyrings in the current user namespace are searched, provided they
+- * grant Search permission directly to the caller (unless this check is
+- * skipped).  Keyrings whose usage points have reached zero or who have been
+- * revoked are skipped.
++ * Only keyrings that have nonzero refcount, are not revoked, and are owned by a
++ * user in the current user namespace are considered.  If @uid_keyring is %true,
++ * the keyring additionally must have been allocated as a user or user session
++ * keyring; otherwise, it must grant Search permission directly to the caller.
+  *
+  * Returns a pointer to the keyring with the keyring's refcount having being
+  * incremented on success.  -ENOKEY is returned if a key could not be found.
+  */
+-struct key *find_keyring_by_name(const char *name, bool skip_perm_check)
++struct key *find_keyring_by_name(const char *name, bool uid_keyring)
+ {
+ 	struct key *keyring;
+ 	int bucket;
+@@ -1001,10 +997,15 @@ struct key *find_keyring_by_name(const char *name, bool skip_perm_check)
+ 			if (strcmp(keyring->description, name) != 0)
+ 				continue;
+ 
+-			if (!skip_perm_check &&
+-			    key_permission(make_key_ref(keyring, 0),
+-					   KEY_NEED_SEARCH) < 0)
+-				continue;
++			if (uid_keyring) {
++				if (!test_bit(KEY_FLAG_UID_KEYRING,
++					      &keyring->flags))
++					continue;
++			} else {
++				if (key_permission(make_key_ref(keyring, 0),
++						   KEY_NEED_SEARCH) < 0)
++					continue;
++			}
+ 
+ 			/* we've got a match but we might end up racing with
+ 			 * key_cleanup() if the keyring is currently 'dead'
+diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
+index 4ed909142956..7dd050f24261 100644
+--- a/security/keys/process_keys.c
++++ b/security/keys/process_keys.c
+@@ -76,7 +76,9 @@ int install_user_keyrings(void)
+ 		if (IS_ERR(uid_keyring)) {
+ 			uid_keyring = keyring_alloc(buf, user->uid, INVALID_GID,
+ 						    cred, user_keyring_perm,
+-						    KEY_ALLOC_IN_QUOTA, NULL);
++						    KEY_ALLOC_UID_KEYRING |
++							KEY_ALLOC_IN_QUOTA,
++						    NULL);
+ 			if (IS_ERR(uid_keyring)) {
+ 				ret = PTR_ERR(uid_keyring);
+ 				goto error;
+@@ -92,7 +94,9 @@ int install_user_keyrings(void)
+ 			session_keyring =
+ 				keyring_alloc(buf, user->uid, INVALID_GID,
+ 					      cred, user_keyring_perm,
+-					      KEY_ALLOC_IN_QUOTA, NULL);
++					      KEY_ALLOC_UID_KEYRING |
++						  KEY_ALLOC_IN_QUOTA,
++					      NULL);
+ 			if (IS_ERR(session_keyring)) {
+ 				ret = PTR_ERR(session_keyring);
+ 				goto error_release;